Home Depot let big threats slide

Retailer confirms 56 million credit cards compromised

Published 10:31 pm, Friday, September 19, 2014

The risks were clear to computer experts inside Home Depot: The home-improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers' credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot's handling of its computer security was a record of missteps. Interviews with former members of the company's cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly. Some members of its cybersecurity team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data.

Then, in 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. But this year, that engineer was sentenced to four years in prison for deliberately disabling the computers at the company where he previously worked.

Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect. Home Depot said on Thursday that it had patched any holes and that its customers' cards were safe. It did not provide additional details. Stephen Holmes, a Home Depot spokesman, said the company improved its security this year by encrypting register systems and switching to a new smart-chip-based payment standard.

"Our guiding principle is to do what's right by our customers," Holmes said. The company maintains "robust security systems," he said.

More Information

Several former Home Depot employees said they were not surprised that the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: "We sell hammers."

Thefts like the one that hit Home Depot — and an ever-growing list of merchants including Albertsons, UPS, Goodwill Industries and Neiman Marcus — are the "new normal," according to security experts. They say retailers have not only been complacent about security, they have also been reluctant to share information with one another.